Network design recommendations?
I just finished reading some min. hardware recommendations, and the quick installation how to,
I have a few older systems laying around the house/work where I should be in good hands to put together a quick router/firewall.. with two nic's one WAN and one LAN..(right)?
I'm will be building this for hobby/education on my home lan which currently I have 3 pc's, 2 network printers, a few wireless clients(sometimes) and a windows server 2008 which currently only host my DHCP server for now(w2k8 is also just for educational purposes)..
basically im just looking for suggestions for hardware and how you yourself would organize this type of infrastructure with the pfsense as a router/ firewall/vpn/ pcaps …..
Also I was wondering how to use a generic linksys or netgear router as just a switch off the pfense router
I'm think my setup would look something like this ......
[cable modem ] <–-> [WAN-pfsense router/firewall/vpn] <–-> [ linksys router54g wireless/wired used as a switch only(if possible) ]
| | |
[DMZ/servers] [vlan-isolated for wireless] [LAN/host]
You probably need to provide more information, at least about some aspects of this. For example, I presume your DMZ is to host server you want accessible from the internet. But what sort of access? Unsolicited "general access" say for a web server? If so, it would be worth having an additional interface in pfSense to connect to "DMZ systems" (directly to one system, or through a switch if you have multiple systems). This gives you the capability of configuring different firewall rules for your DMZ systems than for your LAN systems. For example, you might want to allow "unsolicited" access to DMZ systems but prohibit "unsolicited" access to your LAN systems.
I can share my config with you, although… some call it overkill :o
I run pfSense in a Vmware ESX enviroment, and therefore have access to quite a few virtual NICs (which is nice for segmentation and VLAN purposes).
This is the vlan-config running inside vmware :
And this is what the physical cabling looks like :
The VLAN 200 is a isolated connection to my DSL-modem, incase I need things to have direct access (official IP's), and if I put a host in this VLAN it will get a DHCP from my ISP.
The VLAN 300 is my internal VLAN for regular connected laptops \ computers that I trust, I'm thinking of implementing a auth of some sort for this VLAN.
The VLAN 400 is my Wireless Guest network, the host connected here have no access to the internal network, but talk only to pfSense and the internet, there is also a captive portal here
The VLAN 500 is my Wireless internal network, where I myself and other trusted computer connect, same priveleges as VLAN 300, but this SSID is hidden and WPA2-protected, also my IP-telephone is on this network
The VLAN 600 is the management VLAN on which only managementstuff is, like the Switches, accesspoints and iLO of the servers
This is btw only my lab :P